A recently exposed weakness in a major email encryption standard has prompted several companies to update their messaging platforms, and a government advisory has urged others to do the same.

The issue relates to an email security standard known as DKIM, or DomainKeys Identified Mail, which embeds messages with a crytographic signature designed to verify the domain name that sent the message. The standard helps filter out spoofed messages from legitimate ones. However, improvements in computing power have made it possible to crack increasingly long keys.

In an advisory released on October 24, US-CERT cautioned that signing keys of less than 1,024 bits are now considered weak and that keys of up to 768 bits have been factored, or cracked. The threat arising from a weak encryption key is that a savvy party could impersonate a sender at a trusted domain, enabling spear phishing and other attacks.

In order to protect against this threat, US-CERT warned, system administrators should replace inadequate signing keys with updated versions that are longer than 1,024 bits.

A widespread weakness
US-CERT noted in its advisory that Google, Microsoft and Yahoo had all been affected by the encryption key issue and have since updated their systems to the more secure standard.

The problem came to light when Florida mathematician Zachary Harris received an email from a Google recruiter in December 2011 and noticed it was only using a 512-bit encryption key, according to a recent Wired article. Thinking the email might be a clever test, Harris cracked the key and sent a spoofed email from Google founder Sergey Brin to co-founder Larry Page. When he did not receive a response, and instead noticed Google had increased their encryption to a 2,048-bit standard, he realized he had stumbled across a legitimate weakness.

Looking into the issue, which he told Wired he previously knew nothing about, Harris found a number of other major sites using inadequate DKIM keys – which he classified as lengths of 384 bits, 512 bits and 768 bits – including PayPal, Yahoo, Amazon, eBay, Twitter, LinkedIn, Dell, Apple, HSBC, HP, US Bank and more. Google, eBay, Yahoo, Twitter and Amazon were all using 512-bit keys, while PayPal, LinkedIn, US Bank and HSBC were using the relatively more secure 768-bit keys.

“A 384-bit key I can factor on my laptop in 24 hours,” Harris told Wired. “The 512-bit keys I can factor in about 72 hours using Amazon Web Services for $75. And I did do a number of those. Then there are the 768-bit keys. Those are not factorable by a normal person like me with my resources alone. But the government of Iran probably could, or a large group with sufficient computing resources could pull it off.”

Danger for users
The effect of this weakness is that it can enable spear phishers – hackers using targeted phishing attacks – to bypass protective filters. By cracking the key, an attacker could send an email that appeared to be from Amazon CEO Jeff Bezos, for instance, both to the recipient and the system designed to verify the email as legitimate. The data security risk of such an attack is self-evident and considerable. Furthermore, the method is not terribly complex to a technologically savvy attacker, Harris warned, pointing out that his own expertise with DKIM was limited before the discovery.

In order to solve the problem, Harris explained, organizations can simply generate a longer key, although they must be careful to remove the existing shorter key in order to ensure it does not continue to be a target for attack. Google and others have already taken this step, and US-CERT has advised all system administrators to follow suit.